Check out the new USENIX Web site.
Check out the new USENIX Web site.
18th Large Installation System Administration Conference, November 14-19, Atlanta, GA
LISA '04 Home            USENIX Home            Events            Publications            Membership


Author/Speakers

TRAINING TRACK

Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File

Wednesday, November 17, 2004
W1 Network Security Assessments Workshop—Hands-On (Day 2 of 2) NEW!
David Rhoades, Maven Security Consulting, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.

How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This hands-on workshop will cover the essential topics for performing an effective and safe network assessment.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

  • Preparation: What you need before you even begin
  • Safety measures: This often-overlooked topic will cover important practical steps to minimize or eliminate adverse effects on critical networks
  • Architecture considerations: Where you scan from affects how you perform the assessment
  • Inventory: Taking an accurate inventory of active systems and protocols on the target network
  • Tools of the trade: Effective use of both freeware and commercial tools, with an emphasis on common pitfalls
  • Automated scanning: Best-of-class tools, with tips (mostly vendor-neutral) on their proper use
  • Research and development: What to do when existing tools don't suffice
  • Documentation and audit trail: How to keep accurate records easily
  • How to compile useful reports: Planning for corrective action and tracking your security measures
Students will practice network assessment on a target network of Windows and UNIX-based servers and various routing components.

Day 1

  • Lab setup and preparation
  • Security assessment overview
    • Types of assessments
    • Choosing an assessment approach
  • Assessment preparation
    • Defining the purpose
    • Rules of engagement
    • Assessment logistics
    • Open vs. closed testing
    • Passive vs. active testing; depth of testing
    • Denial of service (DoS)
    • Enumeration of target information
    • Permission
  • Assessment safety
    • Verification of tool authenticity
    • Vetting tools
    • Safety concepts
    • The dangers of automated scanners
    • Automated tool safety summary
  • Documentation and audit trail
  • Assessment phase 1: network inventory
    • Ping scanning
    • Discrete port scanning (host inventory only)
    • DNS queries
    • Traceroute
    • ARP scanning
Day 2
  • Assessment phase 2: target analysis
    • TCP port scanning
    • UDP port scanning
    • SNMP
  • Assessment phase 3: exploitation and confirmation
    • Automated vulnerability scanning tools
    • (Online) brute-force attacks
    • (Offline) password cracking
    • Manual testing
  • Special consideration testing
    • Firewalls and routers
    • Auditing email servers
    • Web servers
    • Stealth technique summary
  • Vulnerability scanning tools
    • Automated scanning tools
    • Commercial scanners
  • Nessus
    • Nessus Clients
    • Using Nessus
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.

W2 Defeating Junk/Spam Email NEW!
Marcus Ranum, Trusecure Corp.
9:00 a.m.–5:00 p.m.

Who should attend: Network and system administrators responsible for email systems; people who are annoyed by junk email; mail server administrators; senior managers who want to understand the technologies for blocking junk email. Some familiarity with Internet email systems is recommended. Familiarity with UNIX system administration is a must.

Is unplugging from the network the only way to avoid junk email? Many organizations are finding that junk email is a major time-waster and performance hog. Some individuals are finding that, every morning, 95% of their inbox is garbage.

This workshop covers real-world issues in dealing with junk email, and how to block a significant percentage of it from your personal or corporate network. Attendees will learn the various techniques of junk email blocking, the tools that are available, and the advantages and disadvantages of various approaches. We will also examine a number of popular tools in detail, and discuss configuration and tuning issues.

Topics include:

  • Junk email: you know what it is when you get it
  • Whitelisting, blacklisting, and blackholing
    • Early attempts at junk email blocking
    • The state of the art in junk email blocking
  • Tools and techniques
    • Setting up a centralized junk email blocking system
    • Integrating junk email blocking into various mail clients
    • Integrating junk email blocking into various servers
    • Legalities and legal initiatives
Marcus Ranum (M4, W2) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

W3 Regular Expression Mastery
Mark-Jason Dominus, Consultant and Author
9:00 a.m.–12:30 p.m.

Who should attend: System administrators and users who use Perl, grep, sed, awk, procmail, vi, or emacs.

Almost everyone has written a regex that produced unexpected results. Sometimes regexes appear to hang forever, and it's not clear what has gone wrong. Sometimes they behave differently in different utilities, and you can't tell why. This class will fix all these problems.

The first section of the class will explore the matching algorithms used internally by common utilities such as grep and Perl. Understanding these algorithms will allow us to predict whether a regex will match, which of several matches will be found, and which regexes are likely to be faster than others, and to understand why all of these behaviors occur. We'll learn why commonly used regex symbols such as ".," "$." and "\1" may not mean what you thought they did.

In the second section, we'll look at common matching disasters, a few practical parsing applications, and some advanced Perl features. We'll finish with a discussion of optimizations that were added to Perl 5.6, and why you should avoid using "/i."

Topics include:

  • Inside the regex engine
    • Regular expressions are programs
    • Backtracking
    • NFA vs. DFA
    • POSIX and Perl
    • Quantifiers
    • Greed and anti-greed
    • Anchors and assertions
    • Backreferences
  • Disasters and optimizations
    • Where machines come from
    • Disaster examples
    • Tokenizing
    • New optimizations
    • Matching strings with balanced parentheses

Mark-Jason Dominus (W3, W6) has been programming in Perl since 1992. HeMark-Jason Dominus is a moderator of the comp.lang.perl.moderated newsgroup, the author of the Text::Template, Tie::File, and Memoize modules, a contributor to the Perl core, and author of the perlreftut man page. His work on the Rx regular expression debugger won the 2001 Larry Wall Award for Practical Utility. He lives in Philadelphia with his wife and several plush octopuses.

W4 Cisco Device Configuration Basics, Part 1 NEW!
Steve Acheson and Laura Kuiper, Cisco Systems
9:00 a.m.–12:30 p.m.

Who should attend: Anyone who bought a Cisco router or switch on Ebay and wants to know how to configure it.

This class will go through the steps you need to take to configure your router or switch from the day you receive it to actually using it.

Topics include:

  • Introduction to IOS and its naming
  • Cabling your device(s)
  • Loading a new image
  • Stepping through the configuration basics
    • Using the "Setup" script
    • Using the Cisco command line interface
    • Setting up a hostname, DNS, etc.
    • Setting up Network Time Protocol (NTP)
  • Router Specifics
    • Configuring the interfaces and IP addresses
    • Forwarding packets (basic routing)
  • Switch specifics
    • Configuring ports
    • Setting up VLANs
  • Security: Access Control List basics
  • Troubleshooting
    • "show" commands
    • "debug" commands
    • CDP (Cisco Discovery Protocol)
Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco Systems, Inc., Steve Achesonwhere he is a senior member of the Corporate Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Steve managed security for NASA's Numerical Aerospace Simulations facility at Ames Research Center. He has worked in the field for over 15 years as a system administrator, network engineer, and security analyst.

Laura Kuiper (W4, W7, F2) is currently a Computer Security Architect at Cisco Systems, Inc.,Laura Kuiper where she is a senior member of the Computer Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Laura managed the network at SAIC. She has worked in the field as a network engineer and security analyst for over 9 years.

W5 Oracle Backup and Recovery
W. Curtis Preston, Glasshouse Technologies
9:00 a.m.–12:30 p.m.

Who should attend: System administrators with Oracle in their environment.

Oracle is one of the most popular databases in today's datacenter, and yet its backup and recovery are often misunderstood and misconfigured. Learn everything everything you need to know about Oracle and its backups in this half-day tutorial. We'll start with an explanation of Oracle architecture, designed especially for the non-DBA. We'll debunk a few myths along the way, such as the one that says Oracle datafiles don't change while Oracle is in backup mode. (You'd be surprised how many people believe that myth.) Other myths we'll debunk include "You can't do hot backups without RMAN" and "You can't use RMAN without buying expensive backup software." Having explained all the pieces that go into Oracle backup and recovery, the instructor will demonstrate various Oracle backup and recovery scenarios live.

Topics include:

  • Oracle architecture
  • Data files
  • Tablespaces
  • Redo logs
  • Control files
  • Rollback segment
  • Physical backups without a storage manager
    • Scripting backups without RMAN
    • Using RMAN without a storage manager
  • Physical backups with a storage manager
  • Managing the archived redo logs
  • Recovering Oracle
  • Logical backups
W. Curtis Preston (T12, W5) is Vice President of Service Development for Glasshouse Technologies, the global leaderW. Curtis Preston in independent storage services. Curtis has ten years' experience designing storage systems for many environments, both large and small. As a recognized expert in the field, Curtis has advised the major product vendors regarding product features and implementation methods. Curtis is the administrator of the NetBackup and NetWorker FAQs and answers the "Ask The Experts" backup forum on SearchStorage.com. He is also the author of O'Reilly's UNIX Backup & Recovery and Using SANs & NAS, as well as a monthly column in Storage Magazine.

W6 Perl Program Repair Shop and Red Flags
Mark-Jason Dominus, Consultant and Author
1:30 p.m.–5:00 p.m.

Who should attend: Anyone who writes Perl programs regularly. Participants should have at least three months' experience programming in Perl.

You've probably been working too hard when you program, writing twenty lines of code when you only needed ten. But there is a better way, and I will show it to you. You'll learn how to improve your own code and the code of others, making it cleaner, more readable, more reusable, and more efficient, while at the same time making it 30-50% smaller. Smaller code contains fewer bugs and takes less time to maintain.

We will examine several real code examples in detail and see how to improve them. We'll focus on red flags--warning signs in your code that are plainly visible once you know what to look for--and on techniques that require little complex thought or ingenuity. All the bad code in this class is guaranteed 100% genuine and typical.

Participants are encouraged to submit their own code for anonymous review in the class. (Send it to mjd-lisa-2003+@plover.com.) Class content varies depending on submissions, but is sure to include some of the topics listed below.

Topics include:

  • Families of variables
  • Making relationships explicit
  • Refactoring
  • Programming by convention
  • The Flesh Blanket
  • Conciseness
  • Why you should avoid the "." operator
  • Elimination of global variables
  • Superstition
  • The "use strict" zombies
  • Repressed subconscious urges
  • The cardinal rule of computer programming
  • The psychology of repeated code
  • Techniques for eliminating repeated code
  • What can go wrong with "if" and "else"
  • The Condition That Ate Michigan
  • Resisting "Holy Doctrine"
  • Trying it both ways
  • Structural vs. functional code
  • Elimination of structure
  • Boolean values
  • Programs that take two steps forward and one step back
  • Programs that are 10% backslashes
  • 'print print print print print '
  • C-style "for" loops
  • Loop counter variables
  • Array length variables
  • Unnecessary shell calls
  • How (and why) to let "undef" be the special value
  • Confusion of internal and external representations of data
  • Tool use
  • Elimination of repeated code with higher-order functions
  • Learning to use a hammer
  • The "swswsw" problem
  • Avoiding special cases
  • Using uniform data representations

Mark-Jason Dominus (W3, W6) has been programming in Perl since 1992.Mark-Jason Dominus He is a moderator of the comp.lang.perl.moderated newsgroup, the author of the Text::Template, Tie::File, and Memoize modules, a contributor to the Perl core, and author of the perlreftut man page. His work on the Rx regular expression debugger won the 2001 Larry Wall Award for Practical Utility. He lives in Philadelphia with his wife and several plush octopuses.

W7 Cisco Device Configuration Basics, Part 2 NEW!
Steve Acheson and Laura Kuiper, Cisco Systems
1:30 p.m.–5:00 p.m.

Who should attend: Anyone who bought a Cisco router or switch on Ebay and wants to know how to configure it. This class will build on the morning class, W4, to help you get the most out of your Cisco equipment.

Topics include:

  • Review of IOS capabilities and image features
  • Setting up SNMP monitoring
  • SSH (secure access)
  • Switch specifics
    • Spanning tree
    • Trunking
    • Differences between CatOS- and IOS-based switches
  • Router Specifics
    • Making your router a DHCP server
    • Doing NAT/PAT with your router
    • Using the GUI SDM (Security Device Manager) to configure your router
  • More security
    • PVLAN edge (protected port)
    • Local authentication
    • RADIUS authentication
    • Advanced ACLs
    • Using your router as a VPN gateway
  • Additional capabilities your router offers
Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco Systems, Inc., Steve Achesonwhere he is a senior member of the Corporate Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Steve managed security for NASA's Numerical Aerospace Simulations facility at Ames Research Center. He has worked in the field for over 15 years as a system administrator, network engineer, and security analyst.

Laura Kuiper (W4, W7, F2) is currently a Computer Security Architect at Cisco Systems, Inc.,Laura Kuiper where she is a senior member of the Computer Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Laura managed the network at SAIC. She has worked in the field as a network engineer and security analyst for over 9 years.

W8 Introduction to Host Configuration and Maintenance with Cfengine
Mark Burgess, Oslo University College
1:30 p.m.–5:00 p.m.

Who should attend: System administrators with a minimal knowledge of a scripting language who wish to start using cfengine to automate the maintenance and security of their systems. UNIX administrators will be most at home in this tutorial, but cfengine can also be used on Windows 2000 and above.

Cfengine is a tool for setting up and maintaining a configuration across a network of hosts. It is sometimes called a tool for "Computer Immunology"--your computer's own immune system. You can think of cfengine as a very high level language, much higher-level than Perl or shell, together with a smart agent. The idea behind cfengine is to create a single "policy" or set of configuration files that describes the setup of every host on your network, without sacrificing their autonomy.

Cfengine runs on every host and makes sure that it is in a policy-conformant state; if necessary, any deviations from policy rules are fixed automatically. Unlike tools such as rdist, cfengine does not require hosts to open themselves to any central authority, nor to subscribe to a fixed image of files. It is a modern tool, supporting state-of-the-art encryption and IPv6 transport, that can handle distribution and customization of system resources in huge networks (tens of thousands of hosts). Cfengine runs on hundreds of thousands of computers all over the world.

Topics include:

  • The components of cfengine and how they are used
  • How to get the system running
  • How to develop a suitable policy, step by step
  • Security
  • Examples
  • How to customize cfengine for special tasks

Mark Burgess (W8, F4) is a professor at Oslo University College and is the author of Mark Burgess cfengine. He has been researching the principles of network and system administration for over ten years and is the author of Principles of Network and System Administration (John Wiley & Sons). He is frequently invited to speak at conferences.

?Need help? Use our Contacts page.

Last changed: 16 Aug. 2004 ch
Events Calendar